You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Mike Cardwell discovered that !RequestPolicy does not correctly handle protocol-relative URLs in redirects. RP treats them as absolute paths relative to the origin's prepath.
Mike reported this yesterday and offered to wait until it's patched before discussing it publicly, which is much appreciated. I have a patch ready now so am making this public.
The text was updated successfully, but these errors were encountered:
The bug was the result of me forgetting about protocol-relative URLs. However, more fundamentally, I shouldn't have been writing that code by hand. This patch uses mozilla APIs instead of my own code to determine the destination URI given an origin and a destination path. I'm fairly sure I knew better at the time I wrote the original code but that I couldn't find the right mozilla API to do this.
The one uncertainty I have about this patch is that I'm not entirely sure about using URLTYPE_AUTHORITY as the urlType to pass to the new nsIStandardURL instance's init(). From what I can tell, it's a good choice. However, [https://developer.mozilla.org/en/XPCOM_Interface_Reference/nsIStandardURL#Constants the documentation] is a bit lacking.
Mike Cardwell discovered that !RequestPolicy does not correctly handle protocol-relative URLs in redirects. RP treats them as absolute paths relative to the origin's prepath.
Mike reported this yesterday and offered to wait until it's patched before discussing it publicly, which is much appreciated. I have a patch ready now so am making this public.
The text was updated successfully, but these errors were encountered: